David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – going where? Collaborative, distributed, and generalized assurance beyond just identity authentication – IGTF Generalized LoA, … and AARC! With inputs from: Interoperable Global Trust Federation IGTF AARC – coordinated by the GEANT Association/TERENA EGI SPG

David Groep Nikhef Amsterdam PDP & Grid Risk based policies and assurance Focusing on the inputs ◦ Assertions: identity, attributes ◦ Release and Trust: policies on SPs, on IdPs, or both? Developing the composite AAI landscape ◦ Authentication and Authorization for Research Collaborations Assurance Levels – both ways

David Groep Nikhef Amsterdam PDP & Grid Action (app) based More constraint actions can lower need for identity LoA (J)SPG VO Portal policy does that: 4 levels of actions Resource (value) based e.g. access to wireless network does not pose huge risks, so can live with a lower identity LoA (eduroam) Subject (ID/LoA) based Defined identity assurance level Includes Community-given LoA For given actions, resources, and acceptable residual risk, required ID assurance is a given ‘risk envelope’ Risk Residual Risk:

David Groep Nikhef Amsterdam PDP & Grid Determine the risk envelope What are you willing to accept? ◦ Cost of monitoring to assess/retain systems integrity ◦ Cost of recovery in case of incidents (time, money, consultancy costs) ◦ Benefits of having more (paying) users ◦ Benefits of appearing ‘low-barrier’ Considerations include ◦ Your ‘outside’ risk envelope should stay the same – determined by local regulation, ◦ the AUPs of your (network) peers, ◦ your (media) exposure and reputation status

David Groep Nikhef Amsterdam PDP & Grid Collaborative risk In beyond, we have developed models shifting responsibilities within the risk envelope VO Portal Policy: offset lower ID vetting with restricting actions Consider lower-risk services (think eduroam) Now incorporating collaborative subject attribute provisioning High-quality VO ID vetting (F2F)&IOTA identifiers (e.g. LHC) Mediated User Registration + actions containment + simple identifiers: LToS Specific Security Policy

David Groep Nikhef Amsterdam PDP & Grid For now focus has been largely on getting assurances from the service providers, e.g. ◦ Data Protection Code of Conduct ◦ developed Privacy Policy ◦ Justification for each attribute requested ◦ R&S Entity Category (for attribute release) Assurance in R&E federations

David Groep Nikhef Amsterdam PDP & Grid … so we need some assurance from IdPs and Federations … this is new for most IdPs! ◦ Many (most) SPs have been ‘low-value’ – now changing: also pressure from publishers worried about proxies ◦ Focus of the IdP is to serve bulk users (students and admin staff), not typically researchers – there are too few! ◦ The IdM folks are (typically) not the people doing IT Sec or CSIRT ◦ and: not simple to get formal agreements really signed by an R&E institution (too many lawyers we don’t need get in the way) So we need some (‘R&E’ friendly) IdP assurance ◦ Because we believe practices are actually pretty OK – just not transparent! ◦ And we have done it before: for the IdPs that signed up to TCS! But EGI is (mostly) an SP

David Groep Nikhef Amsterdam PDP & Grid Example: IGTF trust building method Accreditation process ◦ Extensively documented public practices (CP/CPS, RFC3647) ◦ Interviewing and scrutiny by peer group (the PMA) ◦ Assessment against standards (LoA and APs) ◦ Technical compliance checks (dependent on credential type) Periodic, peer-reviewed, self-audits ◦ Based on Authentication Profiles, standard reference: GFD169 ◦ inspired by APs, LoA, and NIST SP800-53/ISO:IEC Federated assessment methodology by region (IGTF) ◦ keeps it scalable by ‘divide & conquer’

David Groep Nikhef Amsterdam PDP & Grid Federation of major Relying Parties (RPs) and identity providers that jointly agree on achievable and sufficient assurance ◦ RPs like PRACE, EGI, EUDAT, XSEDE, OSG, TERENA/ GÉANT, HPCI, … and many national representatives ◦ Identity providers, both from R&E and beyond About 2-3 distinct levels (not the Kantara ones) And a R&E ‘unique’ verification mechanism: peer reviewed and open documentation IGTF LoA Generalisation

David Groep Nikhef Amsterdam PDP & Grid IGTF ‘levels’ are useful classifying IdP assurance levels for distributed infrastructures ◦ There is not exactly a hierarchy (so we used opaque names) ◦ Is technology agnostic (PKI, SAML, OpenID/OAuth) ◦ ASPEN, BIRCH, CEDAR, DOGWOOD ◦ Reflect trust level of SLCS, MICS, Classic, IOTA ◦ Many IdPs are actually ‘good enough’ (certainly for DOGWOOD), but just forget or are afraid to express their (usually rather good) practices! Generalised LoA

David Groep Nikhef Amsterdam PDP & Grid The future is bringing us attributes from many sources identifiers from R&E or external providers Attributes on community membership Eligibility attributes, social attributes, … There are many, and quick, technical developments OpenConext, Grouper, PERUN, VOMS, HEXAA, … But there’s no (assurance level) collation mechanism yet … How to compose policies? How to assemble attributes with distinct LoAs? … nor is there a framework to interpret it Coming soon to a theatre near you: Compositional attributes & LoA

David Groep Nikhef Amsterdam PDP & Grid For LoA to be useful, it needs to consider risk and e.g. incident response capability when all assertions are combined for a final AuthZ decision ◦ Any source of attributes has an LoA (even if it is not yet expressed in readable form) ◦ The end-to-end system collaboratively needs to address risk: identifiers, attributes, resource data ◦ Example IGTF LoAs: The IGTF itself deals in identifiers, but the LoA framework could be applied to more attributes Decision based on attributes from multiple sources ◦ Need to make the LoA more ‘visible’ to authZ software ◦ But you should not just force higher LoA for all, but ◦ Allow for ‘collaborative’ assurance from many sources Making LoA useful

David Groep Nikhef Amsterdam PDP & Grid Authentication and Authorization for Research Collaborations AARC Expanding the work

David Groep Nikhef Amsterdam PDP & Grid On the technical side ◦ address Single Sign On for non-web applications ◦ authorisation side: attribute aggregation ◦ integration of credential use Both these areas are rather complex and even if progresses have been made, there is still need for further work On the policy side ◦ Consolidate initiatives where work is carried out ◦ GÉANT project, EGI, IGTF, REFEDS, FIM4R, RDA, e-IRG, SCI, SirTFi, … Why AARC?

David Groep Nikhef Amsterdam PDP & Grid Organisational and legal (policy) work eduGAIN REFEDS (R&S, CoC) IGTF RP (EGI, OSG, PRACE, XSEDE) LoA requirements Technical work Various non-Web SSO techniques Credential translators (STS, Portals, SLCS CAs) Inputs to AARC

David Groep Nikhef Amsterdam PDP & Grid Part of an ecosystem Research on scalable policy models (LoA, incident response, etc.) AARC Pilots (Guest IdPs, Attribute providers, etc.) Training/Outreach REFEDS/FIM4R/ RDA ESFRI Clusters/GÉANT /EGI/EUDAT Libraries, institutions, resource providers, etc.

David Groep Nikhef Amsterdam PDP & Grid Although there are ‘only’ 20 project partners it is a pan-European effort! ◦ work plan is to be co-developed collaboratively ◦ communities are encouraged (in several ways) to attend workshops and express their requirements Your input is very welcome! project start: ~ March 2015 An open collaborative effort TERENA, CERN, CESNET, CSC, DAASI, DFN, EGI, GARR, GRNET, JANET, FZJulich, KIT, LIBER, MZK/Brno, FOM-Nikhef, PSNC, RENATER, STFC/RAL, SURFNet, SURFsara